Some of the most significant concerns with connected vehicles are cybersecurity and privacy protection. These concerns were the main impetus behind the creation in the US of the Auto Information Sharing and Analysis Centre (ISAC) by a group of US automakers in July of 2014. The group allows its members to share information about threats and vulnerabilities, conduct analysis and develop industry solutions. The Auto ISAC has now released its “Automotive Cybersecurity Best Practices”.
On August 16, 2016, Public Safety Canada (“PSC”) issued a consultation paper, launching a public consultation as part of PSC’s development of an updated national cybersecurity strategy. The consultation will close on October 15, 2016. Businesses may want to consider making submissions in respect of some key questions posed around possible regulation or standard-setting regarding Internet of Things and connected devices, certification for E-commerce activities, and information sharing (especially in respect of critical infrastructure).
Pension and benefit plan provider breaches privacy law causing employee to lose life insurance coverage
Many of us have called service providers to change basic information, such as a mailing address. You pick up the phone, speak to a representative, and the change is made; no big deal, right? This seamless scenario may not always be the case. Any little misstep on an organization’s part can cause grief not only for the customer, but also for the organization itself. This proved to be true when an employee complained, to the Office of the Privacy Commissioner of Canada, that her employment pension and benefit provider disclosed her personal information to a third party without her consent.
U.S. online payment processor Dwolla fined $100,000 for misrepresenting data security practices: Lessons for Canadian companies
In March, 2016 the U.S. Consumer Financial Protection Bureau (“CFPB”) issued a Consent Order against Dwolla Inc., an online payment platform, for deceiving consumers about its information security practices. The CFPB levied a $100,000 civil monetary penalty against the company, a first for the CFPB. While Canada has different privacy and consumer protection regimes, the lessons from the Dwolla case point to a new direction in enforcement approaches.
A recent privacy complaint was filed against a telecommunications company under PIPEDA regarding frequent email problems.
Recent hacker attacks — including the first successful attack on an Apple computer, and several attacks on U.S. and Canadian hospitals — have reminded Canadian businesses of the need to be vigilant about the danger posed by ransomware.
People love their phones. Phones now accompany us pretty much wherever we go, whatever we do. People use their phones in church, in restaurants, at the theatre, and, apparently, while committing crimes. And our phones are leaving a trail behind us.
Police know this. They also know that records are created every time our phones connect to cell towers to send and receive calls, SMS messages, or data. Every one of those records indicates that a phone (and, implicitly, the person carrying it) was in range of a particular cell tower, at a particular time.
This could be useful information if, say, one wanted to identify the person (or people) responsible for a string of jewelry store robberies.
The method will be familiar to many from movies and T.V. shows: all you need to do is to gather a list of every single person who was near each of the locations of interest at the time of interest and analyze the patterns. And, hey, that cell tower data can provide that list….
But is it legal?
A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.